公开(公告)号：US20180332053A1

公开(公告)日：2018-11-15

申请号：US15595016

申请日：2017-05-15

Applicant: Cisco Technology, Inc.

Inventor： Brian E. Weis ,  Blake Harrell Anderson ,  Rashmikant B. Shah ,  David McGrew

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/126 ,  G06N99/005 ,  H04L63/04 ,  H04L63/08 ,  H04L63/104

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

公开(公告)号：US20170026417A1

公开(公告)日：2017-01-26

申请号：US15217154

申请日：2016-07-22

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Vina Ermagan ,  Fabio R. Maino ,  Florin T. Coras ,  Marius Horia Miclea ,  John William Evans ,  Paul Quinn ,  Darrel Jay Lewis ,  Brian E. Weis

IPC: H04L29/06 ,  H04L12/741 ,  H04L29/12 ,  H04L12/46

CPC classification number: H04L63/20 ,  H04L12/4633 ,  H04L12/4641 ,  H04L45/54 ,  H04L45/64 ,  H04L45/74 ,  H04L61/251 ,  H04L63/0272 ,  H04L63/029 ,  H04L63/0428 ,  H04L63/06 ,  H04L69/03

Abstract: Aspects of the embodiments are directed to systems, methods, and computer program products to program, via a northbound interface, a mapping between an endpoint identifier (EID) and a routing locator (RLOC) directly into a mapping database at a mapping system; receive, from a first tunneling router associated with a first virtual network, a mapping request to a second virtual network, the first router compliant with a Locator/ID Separation Protocol, the mapping request comprising an EID tuple that includes a source identifier and a destination identifier; identify an RLOC based, at least in part, on the destination identifier of the EID tuple from the mapping database; and transmit the RLOC to the first tunneling router implementing an high level policy that has been dynamically resolved into a state of the mapping database.

Abstract translation: 实施例的方面涉及通过北向接口将端点标识符（EID）和路由定位器（RLOC）之间的映射直接编程到映射系统的映射数据库中的系统，方法和计算机程序产品; 从与第一虚拟网络相关联的第一隧道路由器接收对第二虚拟网络的映射请求，所述第一路由器符合定位符/ ID分离协议，所述映射请求包括包含源标识符和目的地的EID元组 标识符 至少部分地基于来自映射数据库的EID元组的目的地标识符来识别RLOC; 并将RLOC发送到实现已经被动态地解析成映射数据库的状态的高级策略的第一隧道路由器。

公开(公告)号：US09282077B2

公开(公告)日：2016-03-08

申请号：US13733579

申请日：2013-01-03

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Srinath Gundavelli ,  Brian E. Weis

IPC: H04W72/04 ,  H04L29/12 ,  H04L12/701 ,  H04L29/06 ,  H04L29/08 ,  H04L12/721 ,  H04W8/04

CPC classification number: H04L61/2007 ,  H04L29/12254 ,  H04L29/12283 ,  H04L29/12933 ,  H04L45/00 ,  H04L45/72 ,  H04L61/2038 ,  H04L61/2061 ,  H04L61/6068 ,  H04L63/0428 ,  H04L67/12 ,  H04W8/04 ,  H04W72/04

Abstract: An example method includes receiving an Internet protocol (IP) address request in a network and selecting an IP address associated with a prefix that represents an IP subnet. The prefix includes a color attribute to be provided as part of a communication session that includes a plurality of packets. The prefix defines one or more properties associated with an application for the session. The prefix is communicated to a network element in a signaling plane, the prefix is configured to be used to make a routing decision for at least some of the plurality of packets. In more specific embodiments, the method can include applying one or more network policies based on the prefix associated with the IP address. The method could also include decrypting an encryption protocol in order to identify the prefix of a subsequent communication flow, and executing a routing decision based on the prefix.

公开(公告)号：US20210297454A1

公开(公告)日：2021-09-23

申请号：US17330641

申请日：2021-05-26

Applicant: Cisco Technology, Inc.

Inventor： Brian E. Weis ,  Blake Harrell Anderson ,  Rashmikant B. Shah ,  David McGrew

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

公开(公告)号：US11038893B2

公开(公告)日：2021-06-15

申请号：US15595016

申请日：2017-05-15

Applicant: Cisco Technology, Inc.

Inventor： Brian E. Weis ,  Blake Harrell Anderson ,  Rashmikant B. Shah ,  David McGrew

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

公开(公告)号：US20190253319A1

公开(公告)日：2019-08-15

申请号：US15892951

申请日：2018-02-09

Applicant: Cisco Technology, Inc.

Inventor： Panagiotis Theodorou Kampanakis ,  Blake Harrell Anderson ,  Brian E. Weis ,  Charles Calvin Byers ,  M. David Hanes ,  Joseph Michael Clarke ,  Gonzalo Salgueiro

IPC: H04L12/24 ,  G06N5/02 ,  H04L12/26

CPC classification number: H04L41/0893 ,  G06N5/025 ,  H04L41/0816 ,  H04L43/08

Abstract: In one embodiment, a classification device in a computer network analyzes data from a given device in the computer network, and classifies the given device as a particular type of device based on the data. The classification device may then determine whether a manufacturer usage description (MUD) policy exists for the particular type of device. In response to there being no existing MUD policy for the particular type of device, the classification device may then determine patterns of the analyzed data, classify the patterns into context-based policies, and generate a derived MUD policy for the particular type of device based on the context-based policies. The classification device may then apply one of either the existing or derived MUD policy for the given device within the computer network.

公开(公告)号：US10243928B2

公开(公告)日：2019-03-26

申请号：US15010679

申请日：2016-01-29

Applicant: Cisco Technology, Inc.

Inventor： Warren Scott Wainner ,  Sheela D. Rowles ,  Brian E. Weis ,  David Arthur McGrew ,  Scott R. Fluhrer ,  Kavitha Kamarthy

IPC: H04L29/06 ,  H04L9/08 ,  H04L12/18

Abstract: Various techniques that allow group members to detect the use of stale encryption policy by other group members are disclosed. One method involves receiving a message from a first group member via a network. The message is received by a second group member. The method then detects that the first group member is not using a most recent policy update supplied by a key server, in response to information in the message. In response, a notification message can be sent from the second group member. The notification message indicates that at least one group member is not using the most recently policy update. The notification message can be sent to the key server or towards the first group member.

公开(公告)号：US20180316673A1

公开(公告)日：2018-11-01

申请号：US15582113

申请日：2017-04-28

Applicant: Cisco Technology, Inc.

Inventor： Rashmikant B. Shah ,  Brian E. Weis ,  Kannan Kumar ,  Manoj Kumar Nayak

IPC: H04L29/06

CPC classification number: H04L63/0892 ,  H04L63/166 ,  H04L63/20

Abstract: In one embodiment, an authorized signing authority server receives an authenticity request from a security registrar to vouch for authenticity of a particular device. Based on receiving the authenticity request, the authorized signing authority server may then determine an authenticity state of the particular device, and may also request a device provisioning file for the particular device from a device provisioning server, the device provisioning file defining one or more network security policies for the particular device. Upon receiving the device provisioning file from the device provisioning server, the authorized signing authority server may then return the authenticity state and the device provisioning file for the particular device to the security registrar, causing the security registrar to complete authentication of the particular device based on the authenticity state and the device provisioning file.

公开(公告)号：US20180316563A1

公开(公告)日：2018-11-01

申请号：US15582294

申请日：2017-04-28

Applicant: Cisco Technology, Inc.

Inventor： Kannan Kumar ,  Brian E. Weis ,  Rashmikant B. Shah ,  Manoj Kumar Nayak

IPC: H04L12/24 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L41/0893 ,  H04L41/0853 ,  H04L41/5051 ,  H04L63/029 ,  H04L63/101 ,  H04L63/20 ,  H04L67/12 ,  H04W4/50 ,  H04W4/70 ,  H04W12/0023 ,  H04W12/0808 ,  H04W12/1002

Abstract: In one embodiment, a network controller for a computer network receives details of a provisioned device and policy requirements for the provisioned device. The network controller may then determine, based on the details and policy requirements for the provisioned device, a plurality of network devices that the provisioned device is configured to communicate through, and may then translate the details and policy requirements for the provisioned device into a plurality of network-device-specific policies, each respective network-device-specific policy corresponding to one of the plurality of network devices that the provisioned device is configured to communicate through. As such, the network controller may then transmit a respective network-device-specific policy of the plurality of network-device-specific policies to the plurality of network devices that the provisioned device is configured to communicate through.

公开(公告)号：US10104050B2

公开(公告)日：2018-10-16

申请号：US15146695

申请日：2016-05-04

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Warren Scott Wainner ,  Brian E. Weis ,  Paul Quinn ,  Scott Roy Fluhrer

IPC: H04L29/06

Abstract: A method is provided in one example embodiment and includes receiving at a node of a transitive IP network a data packet including a Network Services Header (“NSH”); accessing by the transitive IP network node context contained in the NSH, wherein the context may be used by the transitive IP network node to perform an enhanced network service in connection with the received data packet; performing by the transitive IP network node the enhanced network service in connection with the received data packet using the accessed context; and, subsequent to the performing, forwarding the received packet to a next node.